CVE-2017-17066

Current Description

The (1) i2pd before 2.17 and (2) kovri pre-alpha implementations of the I2P routing protocol do not properly handle Garlic DeliveryTypeTunnel packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading sensitive router memory, aka the GarlicRust bug.

Basic Data

Published	December 05, 2017
Last Modified	October 03, 2019
Assigner	cve@mitre.org
Data Type	CVE
Data Format	MITRE
Data Version	4.0
Problem Type	CWE-125
CVE Data Version	4.0

Base Metric V2

CVSS 2 - Version	2.0
CVSS 2 - Vector String	AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS 2 - Access Vector	NETWORK
CVSS 2 - Access Complexity	LOW
CVSS 2 - Authentication	NONE
CVSS 2 - Confidentiality Impact	PARTIAL
CVSS 2 - Availability Impact	NONE
CVSS 2 - Base Score	5.0
Severity	MEDIUM
Exploitability Score	10.0
Impact Score	2.9
Obtain All Privilege	false
Obtain User Privilege	false
Obtain Other Privilege	false

Base Metric V3

CVSS 3 - Version	3.0
CVSS 3 - Vector String	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 3 - Attack Vector	NETWORK
CVSS 3 - Attack Complexity	LOW
CVSS 3 - Privileges Required	NONE
CVSS 3 - User Interaction	NONE
CVSS 3 - Scope	UNCHANGED
CVSS 3 - Confidentiality Impact	HIGH
CVSS 3 - Integrity Impact	NONE
CVSS 3 - Availability Impact	NONE
CVSS 3 - Base Score	7.5
CVSS 3 - Base Severity	HIGH
Exploitability Score	3.9
Base Severity	HIGH

Configurations

Vulnerable Software List

Vendor	Product	Versions
Getkovri	Kovri	-
I2pd	I2pd	*

References